trying to figure this out as well... I've always hated cert work. So I'm using a windows app, CertifyTheWeb that works with my cloudflare API to perform the DNS-01 check with LetsEncrypt to grab my cert files.
This is what I have done based on what you have said but I think I may need to identify the order CertifyTheWeb puts the certificates in the .chain file cause it's not working. screen clipping of what tasks I get Certify the web to use when it exports my certs screen shotted.
Any ideas?